In almost every production environment you will implement Citrix Storefront on more than one servers to provide high availability (HA) and for load balancing (LB). In this step-by-step guide I will show you how implement Citrix Storefront 2.5.2 on multiple servers and how to configure the load balancing on a NetScaler 10.5 from beginning to the end.
For this setup you need the following;
- At least two servers with static IP address for the installation of Citrix Storefront
- A Citrix NetScaler 10.x up and running with the basic configuration
- A free IP address for the Load Balance vServer on the NetScaler
- A DNS record pointing to the free IP address for the vServer
- A server with the Certification Authority and Certification Authority Web Enrollment roles installed on it
For this setup I will use the following components;
- Citrix Storefront server 1 running Win2012R2, IP 192.168.1.40
- Citrix Storefront server 2 running Win2012R2, IP 192.168.1.41
- Citrix NetScaler 10.5
- Free IP address for Load Balancing vServer: 192.168.1.6
- DNS Record: Storefront (pointing to 192.168.1.6)
- My internal CA is running on server DC1
It’s a Citrix best practice to configure Storefront with HTTPS to secure the traffic. If you use the newest Citrix Receiver or wants to integrate the Citrix AppController with Storefront it’s even a requirement. To secure the traffic you need a SSL certificate, and in a situation where you implement more than one Storefront servers and will load balance these servers as in this case, all Storefront servers including the NetScaler needs a SSL certificate for the same hostname. Therefore use a generic hostname, for example storefront.domain.lan.
You can generate an SSL certificate for each server or generate one SSL certificate on a server and export it so you can install it on the other servers, both ways will work.
In this case I will create a certificate on the NetScaler and export it so I can install it on the Storefront servers. Keep in mind that you also need to install the internal Root CA on the NetScaler, these steps are also included in this guide.
Step 1 – Create and install a SSL Certificate on the NetScaler
In the following steps I will create and install a SSL Certificate on the NetScaler and I will also install the internal Root CA on the NetScaler.
Login to the Citrix NetScaler web GUI and browse to Traffic Management > SSL. On the right side click Create RSA Key
Fill in the following information;
Key Filename: storefront.key
Key Size (bits): 2048
Public Exponent Value: F4
Key Format: PEM
PEM Encoding Algorithm: DES3
PEM Passphrase: A password you like
Verify Rassphrase: Same as above
Click on Ok
Click on Create CSR (Certificate Signing Request)
Fill in the following information;
Request File Name: storefront.txt
Key File Name: Browse to the .KEY file you just created
Key Format: PEM
PEM Passphrase (For Encrypted Key): The password you specified in the previous step
Scroll to the bottom of the page and fill in the following information;
Country: Your Country
State or Province: You State or Province
Organization Name: The name of your organization
City: Name of your City
Email Address: a valid email address
Organization Unit: Your Organization Unit
Common Name: storefront.hobo.lan (replace with your hostname and domain name)
Challenge Password: A password you like
Company Name: Your Company Name
To download the request file click on Manage Certificates / Keys / CSRs
NOTE: If using a version below NetScaler 10.5 build 51.x use another tool for downloading files like WinSCP. There is a bug in version 10.5 build 50.x that adds a error line in every file!
Select the storefront.txt file and click Download
Open a web browser and go to your Certification Authority Web Enrollment page (for example https://dc.hobo.lan/certsrv)
To download the Root CA first, click on Download a CA certificate, certificate chain, or CRL
Select Base 64 and click Download CA certificate
Go back to the main screen and click on Request a certificate
Click on advanced certificate request
Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
Copy the text from the storefront.txt (request file) into the Saved Request window. Select Web Server as Certificate Template. Click Submit
Select Base 64 encoded and click on Download certificate
Open the Citrix NetScaler console and browse to Traffic Management > SSL > Certificates. Click Install
Fill in a Certification name, for example <domain>-CA. Browse (local) to the Root certificate and click Intall
Click on Install again
Fill in a certificate name, for example storefront.<domain>.lan. Browse (local) to the storefront.cer file and browse (appliance) to the storefront.key file.
Enter the Password and click Install.
Right click the storefront.<domain>.lan certificate and click Link
Select the Root CA certificate and click OK
Browse to Traffic Management > SSL and click on Export PKCS#12
Fill in a File Name, in this case storefront.pfx, and select the storefront.cer and the storefront.key files. Enter the Export Password and the PEM Passphrase. Click OK
Click on Manage Certificates / Keys / CSRs
Select the storefront.pfx file and click Download
Copy the storefront.pem file to both Storefront servers.
Step 2 – Install Citrix Storefront 2.5.2 (on both Citrix Storefront servers)
In the next steps I will install Citrix Storefront 2.5.2, this needs to be done on both Storefront servers
When the Storefront console starts (automatically) close it.
Step 3 – Install the SSL certificate on the Storefront servers (on both Citrix Storefront servers)
The next step is to install the SSL certificate on both Storefront servers before starting with the Storefront configuration.
Open the Internet Information Services (IIS) Manager. On the left side select the server. In the middle of the screen dubble click on Server Certificates
Click on Import
Select the storefront.pfx file and fill in the Password. Click OK
On the left side, browse to the Default Web Site, on the right side, click Bindings
Select https as type and select the storefront SSL certificate. Click OK
Step 4 – Configuring Citrix Storefront 2.5.2 (on server 1)
In the following steps I will configure only the basic settings in Citrx Storefront (for configuring Citrix Storefront for remote access see my blog about that here). These steps must only apply on the first server.
Open the Citrix Storefront console and click on Create a new deployment
The base url is automatic configured with the HTTPS URL. Click Next
Fill in a Store name and click Next
Click Add to add your Delivery Controllers
Fill in the information of your delivery controller and click OK
I will skip Remote Access for now. Click Create
Step 4 – Joining the second Storefront server to the Server group
Once you configured the first Citrix Storefront server you can join the second one. The second Storefront server will receive the complete configuration of the Citrix Storefront Server Group.
To do so, follow these steps;
On the first server, open the Server Group page and click on Add Server
You now see an Authorizing Server and a Authorization code. These info must be entered on the second server when joining.
On the second server, open the Citrix Storefront console. Click on Join existing server group.
Fill in the information from the first server and click Join
After a refresh you will see that the server is synchronized and that all the servers now have the same configuration.
Step 5 – Configure Storefront Load Balancing on the Citrix NetScaler
Now that Citrix Storefront is up and running on two servers it’s time to configure the Load Balancing on the NetScaler. For that, I will create 2 servers, 1 monitor, 1 services group and the Load Balancing vServer.
On the Citrix NetScaler, open the Configuration tab and browse to Traffic Management > Load Balancing > Servers
Fill in a Server Name, for example “Citrix Storefront 1”. Select IP Address and fill in the IP Address of the first Citrix Storefront server and click Create
Click on Add again to add the second Storefront server.
Fill in a Server Name, for example “Citrix Storefront 2”. Select IP Address and fill in the IP Address of the second Citrix Storefront and click Create
Browse to Traffic Management > Load Balancing > Monitors
Fill in a Name, for example “Storefront Monitor” select STOREFRONT as Type.
Browse down to the bottom and enable Secure. Browse back to the top.
Open the Special Parameters tab. Fill in the Storefront Store Name and click Create
Browse to Traffic Management > Service Groups. Click Add
Enter a Name, for example Storefront Group. Select SSL as Protocol and click Continue
Click on the Settings edit button
Enable Client IP and enter the following Header: X-Forwarded-For. Click Save.
Click on Members
Click on the arrow on the right side of the Service Group Members
Select Server Based and select the first Citrix Storefront server. Configure 443 as port and click Save
Click Add again
Select Server Based and select the second Citrix Storefront server. Configure 443 as port and click Save
Click on Monitors
Click on the arrow on the right side of the Members
Select the Storefront Monitor and click Insert
The Storefront Services Group is now created, if everything is correct the Effective state is UP
Browse to Traffice Management > Virtual Servers and click Add
Fill in a Name, for example Storefront LB. Configure SSL as Protocol. Select IP Address Type, IP Address and enter an available (free) IP Address for the Storefront Load Balancing vServer.
Set the port to 443 and click Continue
Click on Services Group
Click on the arrow on the right side of the Services Group
Select the Storefront Group and click Insert
Click on Persistence
Select SOURCEIP as Persistence and set the Time-out (mins) at 20. Click Save
Click SSL Certificate
Click on the arrow on the right side of Certificates, Server Certificates
Select the storefront.domain.lan and click Insert
Click on the arrow on the right side of Certificates, CA Certificates
Select the internal Root CA and click Insert
The final step is to test the configuration. For that I have changed the backgrounds of the Citrix Storefront servers. Citrix Storefront 1 will be the one with the red background, Citrix Storefront 2 will be the one with the blue background.
For this test I will browse to my Storefront Load Balancing address: https://storefront.hobo.lan/Citrix/HoboWeb
As you can see I’m landing on the first Citrix Storefront server.
To test the load balancing I turned off Citrix Storefront server 1. When looking at the Server Group Members, you can see that the first Citrix Storefront has the Down Service State.
When reloading the Storefront page I’m now landing on the second Citrix Storefront server, as you can see with the blue background. So, Load Balancing is working fine!
Storefront Services Group down state
If using NetScaler 10.5 50.9 and NetScaler 10.5 50.10 there is a problem with the Storefront Monitor over SSL. This problem is fixed in NetScaler 10.5 51.10.
If upgrading to this version is not an option, there is a workaround for it, see for more information this topic http://discussions.citrix.com/topic/353366-105-build-509-storefront-monitor-insecure-only/